Take Charge of Windows Updates

It seems like every month that at least one of my laptop using co-workers gets blindsided by 15 – 30 minutes worth of pending updates when they need to shut down their laptop and leave in a hurry. Keeping your software up to date with the latest security fixes is important — read Krebs on Security or the F-Secure weblog if you think otherwise — but you don’t have to let Redmond’s Windows Update service bully you.

Black Tuesday: Expect It

Unless something critical comes up earlier, Microsoft releases updates for all of their products on the second Tuesday of every month. Typically, those updates will hit your computer on Wednesday or Thursday.  Plan for it.

If you’d like to be reminded of what’s coming, there are a number of news feeds or mailing lists that you can subscribe to that publish summaries of the expected updates.

Microsoft Security Bulletin Advance Notification: http://technet.microsoft.com/en-us/security/gg309152.aspx

The Shutdown Button

If your computer has updates waiting to be applied, then the default choice for the shutdown button becomes “Apply updates and shut down”, but you have other choices. If now is not a convenient time to apply updates:

  • On Windows 7 or Vista: Note that there’s a little arrow on the shut down button. If you click it, it will expand into a menu with other choices, including some that allow you to shut down without applying updates.

Windows 7 shutdown menu

  • If you’re one of those poor souls still stuck using Windows XP, the shut down prompt has a drop-down list which allows you to choose some other ways of shutting down without applying updates.

Windows XP Pro shut down

Pre-Emptive Updating

If you know updates are available, you don’t have to wait until Windows forces you to apply them. You can start the process yourself and let it run in the background while you continue working. Then you can reboot your computer at a more convenient time. (Do reboot it though, so that the updates can finish applying.)

To start applying updates:

  • On Windows 7, go to Start > Control Panel > System and Security > Windows Update to start applying updates.
  • On Windows XP, open Internet Explorer and go to http://www.update.microsoft.com/.

Now once the updating process finishes, Windows will start prompting you, with very annoying frequency, to restart your computer to complete the process. It may even try to force you to restart. No worries – you can silence that prompt by temporarily turning off the Windows service that manages the updates:

  • On Windows 7 or Vista, go to Start > Control Panel > System and Security > Administrative Tools. In the Administrative Tools, start the Services tool. Find the Windows Update service. Right click on it and select Stop.
  • On Windows XP, go to Start > Control Panel > Administrative Tools. In the Administrative Tools, start the Services tool. Find the Automatic Updates service. Right click on it and select Stop.

#black-tuesday, #windows-updates

Luna SA HSM Concepts

A Hardware Storage Module (HSM) is a more secure alternative to the keystore file most Java developers are familiar with. The HSM stores cryptographic data such as private keys and certificates in RAM or flash storage. Through software APIs, the Luna HSM participates in cryptographic operations like digital signatures without actually releasing the secured credentials to your applications, where they potentially could be exported or misused.

This was an important point for me to understand. Initially, I thought that I could get a private key and certificate chain from my Luna HSM at application startup, just like a keystore file, and then cache the credentials in memory for when I needed them. But it doesn’t work that way: the Luna API objects only give you pointers to data stored on the HSM; not the data themselves. My ‘cached certificates’ only resulted in NullPointerExceptions because the connections had expired by the time I tried to use them.

Most HSM devices include extra-paranoid security features to ensure that the data they hold does not fall into hostile hands. In addition to requiring authentication to use stored objects, the Luna SA includes tamper-detection features like a chassis opening sensor and an internal thermometer. If an intrusion is detected, the HSM erases its storage to prevent sensitive data from being stolen. You will want to make sure that all of your data center admins are aware of these features to prevent accidents!

The Luna SA also includes dedicated hardware for accelerated cryptographic calculations. Some models have high availability features.


There are multiple layers of systems on a Luna SA:

  • The appliance operating system
  • The HSM card
  • Logical partitions created within the HSM

The operating system’s root user is named ‘admin’. Admin can manage the device’s base configuration: networking, time, hardware settings. You can give the admin password to to data center staff who maintain the appliance, because the admin user has no authorization to access the HSM contained within.

The HSM itself is installed in a ‘slot’ inside the Luna SA. (I don’t know if ‘slot’ refers to a physical slot for an expansion card or just a logical interface to the HSM hardware. On the Luna SA 5, the built-in HSM is in slot 1 and slots 2 – 4 are available for backup devices to plug into.) The HSM has its own administrator, apart from the OS admin. It is sometimes referred to as the ‘security officer’ or ‘SO’ in documentation. You can manage the HSM by first logging into the Luna as the OS admin and then running the hsm command and supplying the security officer password.

Within the HSM, the SO can configure logical partitions for storage of crypto artifacts. Each partition has its own password. So one Luna SA can be used by multiple groups or applications. At my company, we’ve created one partition for certificates used by developers and another for production. That satisfies the regulatory requirement for separation of duties and controls between development and production personnel.

Some administration functions are done from a command line on the Luna. Others need to be performed remotely, using the command line tools that are provided with the client software.

Luna SA Setup

Turning on the appliance for the first time and configuring networking is pretty straightforward and is explained well by the documentation, so I don’t think it’s necessary for me to cover it. The only questions our network admin had for me related to some HSM-specific terms in the documentation.

Cloning refers the the backup process for the HSM. To permit the contents of the HSM to be backed up to a USB token, you need to enable cloning and assign the same cloning domain name to both the HSM and the backup token.

PIN means ‘password’ – at least in our configuration. If you have configured FIPS 140-2 Level 3 security, then the authentication process is different.

Manufacturer Documentation

Complete documentation, including a Getting Started guide and a full listing of options for all of the commands used below, is included with the Luna SA client software, in the form of a collection of HTML pages which you can unzip into a local directory. In addition, once you have the client software installed, you will find a Java API Guide and example code in the Program Files\LunaSA\JSP directory on your computer.

Installing Client Software

Instructions are provided for installing and configuring on Windows and AIX, since those are the operating systems I have worked with. The process for Linux or other UNIX breeds is probably pretty similar to AIX.

Tips for installing the client software:


  • The main installer launches several other installs before it completes. If you’re developing in Java or Groovy, you need the Java Security Provider (JSP). If you’re developing in C, you need the C Security Provider (CSP).
  • You may need to add C:\Program Files\LunaSA\JSP\lib to PATH in your Windows environment variables. (This puts LunaAPI.dll on java.library.path. You can run groovy -e “println System.getProperty(‘java.library.path’)” from a command line to verify what’s in java.library.path.)
  • Make sure there is a Windows environment variable named “ChrystokiConfigurationPath” and add it if it is missing. The value should indicate the location of the crystoki.ini file, which should be “C:\Program Files\LunaSA” in the default installation.


  • Before starting the installation, ensure that you have a Random Number Generator (RNG) or Entropy Gathering Daemon (EGD) on your system at one of /dev/egd-pool, /etc/egd-pool, /etc/entropy, or /var/run/egd-pool.
  • If you’re developing in Java or Groovy, answer ‘Y’ to install the Java Security Provider (JSP) and ‘Y’ to install the SDK.
  • Following installation, it is necessary to configure any environment where the Luna client is going to be used so that the Java runtime can interface with the native libLunaAPI.so library. Some of these methods for setting java.library.path are redundant. If you don’t have libLunaAPI.so on java.library.path, it will result in
    java.lang.UnsatisfiedLinkError: LunaAPI_64 (Not found in java.library.path)
    • Add /usr/lunasa/jsp/lib/ to the PATH environment variable
    • Add -Djava.library.path=/usr/lunasa/jsp/lib/ to the JAVA_OPTS environment variable
    • Add “/usr/lunasa/jsp/lib/” to the LIBPATH environment variable
    • Include /usr/lunasa/jsp/lib/LunaProvider.jar in your CLASSPATH

Registering a Client with the Luna HSM

The client software communicates with the HSM using SSH. Before you can start working with the crypto features, you will need to set up a trust between your client and the HSM by exchanging keys.

My experience has indicated that when a command requires you to specify a hostname you should provide only the unqualified hostname, without the domain name, for the server or client. The tools create files using the hostnames you enter, and in some cases, extra periods in the filenames seem to cause issues. Also, be consistent with case when you type the hostnames. They are added to configuration files and certificates exactly as you type them.

  • On the client, open a command prompt and cd to the directory where the client software is installed. On Windows that will be C:\Program Files\LunaSA. On AIX that will probably be /usr/lunasa/bin.
  • Download a copy of the server’s public key. On AIX, you can use the built in secure copy (scp) command. For Windows, PuTTY pscp is included with the client software.
    • Windows:
      scp admin@<hsm_hostname>:server.pem ../cert/server
    • AIX:
      pscp admin@<hsm_hostname>:server.pem ./cert/server
  • Configure your client to trust the server. This step uses the vtl client command.
    • Windows:
      vtl addServer -n <hsm_hostname> -c cert/server/server.pem
    • AIX:
      ./vtl addServer -n <hsm_hostname> -c ../cert/server/server.pem
  • Generate a private key for your client. Running this command will cause two files to be created in LunaSA/cert/client.
    • Windows:
      vtl createCert -n <client_hostname>
    • AIX:
      ./vtl createCert -n <client_hostname>
  • Export the client cert you generated and transmit it to the server. Note that there is a colon on the end of the server’s hostname, designating that you want to copy your client certificate to the root directory on the server. If you leave the colon off, it will result in the error message “Local to local copy not supported”.
    • Windows:
      pscp "cert\client\<client_hostname>.pem" admin@<hsm_hostname>:
    • AIX:
      scp ../cert/client/<client_hostname>.pem admin@<hsm_hostname>:
  • On the hsm command line, associate the key file to your client by hostname. This command registers the client by its DNS hostname. If your client isn’t found in DNS, the HSM can’t see it.
    client register -client <client_hostname> -hostname <client_hostname>

  • Assign the client to a partition. (Note that you can get a list of partition names by issuing the partition list command.) You will need to know the partition password.
    • On the hsm command line:
      client assignPartition -client <client_hostname> -partition <partition_name>
    • Confirm the setup. On the client command line:
      vtl verify

Requesting and Importing Certificates

  • On the client, open a command prompt and cd to the directory where the client software is installed. On Windows that will be C:\Program Files\LunaSA. On AIX that will probably be /usr/lunasa/bin.
  • Generate public and private keys using the certificate management utility, cmu. Once you have objects stored on the HSM, you will reference them by either numeric handle or text label. It’s best to give the keys descriptive labels, such as “developer_private_key” or “widgetco_inc_public_key”. The handles are just numeric ids assigned automatically when you upload objects.
    cmu generatekeypair -modulusbits=2048 -publicexponent=65537 -sign=T -verify=T -labelpublic="<public_key_label>" -labelprivate="<private_key_label>"
  • Create a certificate request. You can use the cmu list command to show a list of objects stored on the HSM, including the handle and label assigned to each. If there is only one keypair on the partition, the following command defaults to it. If there are more than one, you must also specify -publichandle and -privatehandle options.
    cmu requestcertificate -c="<two_letter_country_code>" -o="<organization_name>" -cn="<common_name>" -s="<state>" -l="<city/locality>" -publichandle=<public_handle> -privatehandle=<private_handle> -outputfile=""
  • The next step depends on the procedure that your certificate authority uses. But it will probably go something like this: Go to the certificate authority’s website and follow their procedures to request a new certificate. At the point when you are given a chance to supply a certificate request of your own, open the CSR file you generated and paste the text from it into the certificate request window. Download the certificate files that are generated from it, following the website’s instructions. When you are done, you should have a certificate file and one or more CA certificate files downloaded to your client.
  • Import each certificate into the HSM partition. Assign each file that you import a meaningful, unique label.
    cmu import -inputFile="<filepath_and_filename_of_cert>" -label="<certificate_label>"
  • If, for any reason, you need to change a label or other attribute after import, you can use the cmu setAttribute command.
    cmu list

    cmu setAttribute -handle=<handle> -label=<new_label>

#cryptography, #digital-signature, #hsm, #luna-sa

Configuring Luna HSM Software on AIX

Addendum: The Luna SA 4 series API separated the JCA and JCE into two separate jars. The Luna SA 5 API has combined all of the objects and methods into a single file, LunaProvider.jar.

We’re using a Luna HSM with Tomcat running on IBM AIX to sign PDFs in a web application. There were a few extra steps required to get the Luna software working with Java that the setup instructions did not mention, so I’m documenting them here.

The LunaSA software installed to /usr/lunasa. The Java Security Provider API for the Luna includes three files, which are found in /usr/lunasa/jsp/lib. They are libLunaAPI.so, the native (C++ I presume) library for accessing the Luna; and LunaJCASP.jar and LunaJCESP.jar, which are the security providers for Java.

First, we verified that we had a randomness generator configured in the right directory, as described by the Luna setup instructions. Then we installed the software. Next we configured a trust relationship between the Luna and our server by exchanging certificates, as per instructions.

The additional steps were setting some environment variables for the user account that Tomcat runs with:

JAVA_OPTS should include -Djava.library.path=/usr/lunasa/jsp/lib/. Putting the Luna library directory on java.library.path makes the native libLunaAPI.so library available to the Java Native Interface. If it is not there, any application trying to use the Luna API will throw an ”UnsatisfiedLinkException”.

LIBPATH should be set and should include /usr/lunasa/jsp/lib/. This is another way of getting the native Luna API library on java.library.path. It may not be necessary if the path is set in JAVA_OPTS.

CLASSPATH should be set and should include /usr/lunasa/jsp/lib/LunaJCASP.jar and /usr/lunasa/jsp/lib/LunaJCESP.jar. Contrary to our expectations, just having the jar files in the /lib folder of our war file didn’t seem to make the jar files available to our web app. Adding them to the Tomcat user’s classpath made everything work.

We are using the 64-bit Luna software with IBM Java 6, 64-bit.

#aix, #hsm, #java, #luna, #tomcat

Symantec Mail Security Handling of Open Proxy Spam

This story is about an unexpected behavior in Symantec Mail Security for SMTP (version 5.0.1) and how to access the double-secret advanced settings in the admin console.

To explain: As with any mail server, our postmaster address gets a tremendous volume of spam. I’m not sure why we’ve got all of our mail server administrators receiving the email to postmaster – maybe it’s because on our Lotus Domino server the postmaster address and the Domin admin address go to the same place? I don’t know; I’m not a Domino admin, but firewall and antivirus administration are part of my job duties. Anyway, the volume of spam dumping into all of our Domino admins’ mailboxes has gotten bad enough that they asked me to start rejecting everything sent to postmaster. That’s probably not Best Practices . . . but I understand why they’re asking for it.

We use Symantec Mail Security for SMTP (5.0.1) to block viruses and spam before it hits Domino. SMS lets you set up compliance policies based on syntax-maatching rules, so I set up a compliance policy to automatically quarantine any email with our postmaster address in the recipient field. This reduced the amount of spam, but curiously, did not completely stop it. So I investigated.


SMS applies filter rules in order, and apparently some rules are applied before my new ‘postmaster’ compliance policy. If a message matches the Open Proxy filter, then the actions defined for that filter get applied instead. Which, in this case, seemed to be ‘Send a bounce message, Delete the message’. And for messages where the spammer had forged the sender’s address and used our postmaster’s address for it, the bounce notifications sent by our own SMS server were still getting sent to postmaster.

Well, that behavior should be configurable, shouldn’t it? I went looking for where to configure the Open Proxy List filter. Under Policies, in Sender Groups, I found two groups that might be what the message tracking report was showing as ‘Open Proxy List’. The most obvious was the one named Open Proxy Senders, but I reasoned that Blocked Senders (Third Party Services) might also apply, since that’s where our DNS black lists are specified. But neither of these groups was configured to ‘Send a bounce message, Delete the message’.


At this point, I called Symantec tech support, and here’s where the case started to get interesting. As it turns out, Symantec provides their own open proxy list, separate from the DNSBLs that customers can add. And by default, the product’s behavior for messages that match the Symantec-supplied list is not configurable by the end user. I absolutely hate when developers design in features that are deliberately not configurable in the UI. That’s so . . . Microsoft.

Evidently, someone else had already stumbled across this problem before me, because a recent patch to SMS had added a control to the admin console to let you adjust this behavior. Good! But guess where you find it?

The Symantec tech instructed me to go to Settings. Then she had me click on some white space on the side of the screen – making sure that no buttons or text fields had focus. Then she had me hit Shift+A. This opens a secret Advanced Attributes view. As far as the tech could tell me, this secret settings screen is not documented in any of the end user guides, probably because, like editing the Windows registry, if you don’t understand what you’re doing, changing any of these settings can break Symantec Mail Security.

That said, it still irks me that there are a lot of undocumented or unconfigurable aspects of this product. I think that it would save Symantec a lot of calls if they were willing to put the knowledge and the power to fix things in the hands of the email admins who use SMS. At least then you’d know it was your own fault when you broke the server.


Here at the bottom of the Advanced Attributes screen, somewhat obscurely labeled ‘Static Firewall Backup’, is the setting that should change the behavior for handling Open Proxy List messages.

And here’s another report from later in the day, showing that the policy change worked.


#advanced-settings, #open-proxy-list, #secret-settings, #symantec-mail-security-for-smtp

Upgrading PHPList on Lunarpages Hosting

Spent some time this week upgrading phplist mailing list software from 2.10.5 to 2.10.10 on a site hosted on Lunarpages.com that I help out with.

After upgrading, I ran into two issues.

1. Upon first accessing the admin page after upgrading, it was showing HTTP Error 500: Internal Server Error. Phplist’s troubleshooting document tells how to correct that problem:

HTTP Error 500: Internal Server Error – The server encountered an internal error or misconfiguration and was unable to complete your request. This error message may have different causes. If you get a “500 Server Error” when installing, your server is probably running PHP as a cgi, not as an Apache module (also known as phpsuexec). Solution: In /lists/.htaccess, find php_flag magic_quotes_gpc on and delete or comment out (with a #) this line. (However phpList may display “Warning: Things will work better when PHP magic_quotes_gpc = on” which is addressed below)

2. On the Send a Message screen, the editor field was missing – in fact everything below the tabs was gone! I found a fix in the phplist forums. Specifically, just removing the comments from line 1034 wasn’t enough. Replacing lines 1031 – 1042 with the following, as recommended, fixed it.

$maincontent .= '
<tr><td>'.Help("subject").' '.$GLOBALS['I18N']->get("Subject").':</td>
<td colspan="2">
<tr><td>'.Help("from").' '.$GLOBALS['I18N']->get("fromline").':</td>
<tr><td colspan="2">

#lunarpages, #phplist

Things You Never Want to See in Your Data Center


A worker came in today to do maintenance on the emergency lighting. This is the light that is supposed to come on in case of an emergency – like a fire.